--

When a Friend “Sends” You Junk Email

One of the main weapons of organized crime on the Internet is the use of junk email, also called spam. Hackers use spam for a number of purposes such as selling counterfeit products (medicines, particularly) to steal your personal or financial information, or to infect your computer with spyware and malware. This malicious software can then hijack your computer and your Internet connection to help propagate itself.

Available for purchase on the Internet black market, lists of email names and email addresses are a common commodity. The criminals will purchase sets of addresses and then use systems that have been infected with malware and enlisted into botnets to send other email for their nefarious purposes. One email address, which I’ve had for close to 20 years, receives dozens of junk messages per day. I’ve had the address so long that I probably couldn’t change it because people would send legitimate messages to the old address.

Often, we can tell that a message is junk because it is badly written, poorly formatted, or just looks “wrong.” The spam filters used by your Internet service provider and mail-reading software use many of these tell-tale signs. You may not even see the messages until you look in your Junk Email folder. As a reminder, you should periodically check that folder for valid messages that were flagged accidentally.

Spammers’ goals are to entice you to click on a web link or attachment. Most junk email addresses you with a generic name such as “Dear Customer,” if it has a salutation at all. This is one of the tell-tale signs of a spam message. So called “spear-phishing” messages will have the target’s name or email address prominently displayed. The hacker’s hope is that the victim will open the message simply because it is addressed to them.

A specialized extension of this technique is when the victim receives an email message that appears to originate from an acquaintance, but is really fake. After all, it would appear that a message from a relative, loved one, or friend would be more trustworthy.

So, how do hackers craft these email messages?

One of the uses of Trojan horse programs is to hijack a victim’s computer. The attacker could then harvest the contents of the infected computer’s address book. Once the attackers know the email names of the victim’s contacts, they could send spam to the mailboxes of these acquaintances. The person to whom the email was sent would see it originating from a possibly trusted source. Historically, this was the modus operandi of the “Love Bug” worm, where people would receive messages whose subject line read “I Love You!” Opening the email launched the virus infection.

The inspiration for this blog began with an email that seemed to come from a friend of my daughter. The fact that this young lady would send me a message was suspicious from the outset. Then, the message body read, “Check out this great deal” and included a web link. In fact, that was the entire content of the message, which made it even more suspect.

But, the email to which the hackers sent the message confirmed that it was fake. It turns out that I own my own Internet domain and receive mail through that. I really have only two addresses: my personal one and a “general delivery” address. When I give an email address to an untrusted source, I make up a name for that organization. Any email that isn’t sent to me personally goes to my general delivery mailbox, which I check regularly. A year earlier, I had signed up to vote for a friend who was competing in a bartender-of-the-year competition. I used the name “BOTY” as the email address, which meant any messages would go to my general delivery mailbox.

The spam that I received that seemed to originate with my daughter’s friend was addressed to that mailbox. Since my daughter’s friend could never have possibly known the mailbox name, the message had to be fake, ignoring the spam-like contents.

From looking at the email that seemed to originate with my daughter’s friend, it became clear that the company running the bartender-of-the-year contest had been hacked. The attackers simply paired recipient email addresses with another from the same database. The spammers’ hope is that a message appearing to originate with a trusted source would be more likely to seem legitimate. In other words, my daughter’s friend had nothing to do with sending the junk email. It would not really serve any purpose to let my daughter’s friend know that the message had been sent.

Unfortunately, this also occurred to my friend Tom (not his real name.) Don’t worry, Tom, it’s not really you. Friends complained to Tom that they were getting junk email from him. While it is possible that his computer or email account got hacked, it is unlikely. What probably happened is similar to the fake email from my daughter’s friend. Sadly, Tom went to all the work of setting up a new email address and telling everyone to update their address books.

But, if Tom’s computer was hacked or a friend’s was breached, then the hackers could access the new information as soon as their address books were updated. Worse, if a third party (such as the bartender-of-the-year contest’s website) was hacked, none of the defenses would have any benefit. In other words, Tom’s email had been obtained by hackers and they were impersonating him. Tom’s changing his email address and letting all his friends and relations know didn’t protect Tom because the hackers could still send messages faking the old address. Unhappily, there isn’t much that Tom could do to stop criminals from using his email address (even the old one) online.

Tom’s wife also helped spread malware through email. Jane uses Apple computers instead of a Windows-based PC. While Apple will tell people that they do not need antivirus programs, the company has incorporated its Gatekeeper security software to block malware. Although more rare than on Microsoft Windows, Mac malware has a long history going back to the DNSChanger worm and the Mac Defender outbreak. A quick search online shows that the major anti-malware all have solutions for Apple products.

In my friend’s case, it was worse, however. Jane is fond of forwarding political and religious messages supporting her social positions. I think we all know the kind, usually formatted with big letters in garish colors whose text is centered in the middle of the screen. The messages that Jane was forwarding were infected with malware. Jane was lucky that it didn’t affect her computer, but she was spreading the disease to all of her mail recipients.

Messages with forged senders may not just appear to come from friends. On the news, we regularly hear about companies whose websites have been hacked and had their email lists stolen — or worse, their credit card databases. There are archives on the Internet such as DataLossDB that provide searchable web resources related to data breaches. Even as I was writing this blog, I received a spam email that seemed linked to the breach of Adobe Systems’ web hack, and that was in October 2013.

And now to the delicate part: how do you tell your friend? In the case of my friend Tom where the spammers were simply impersonating his email address, I said nothing. Tom regularly changes his email address when he changes Internet service providers or cable companies. Because of the sensitive nature of telling someone that their computer is infected, there are a couple of things to keep in mind.

First, don’t reply directly to the email. Even though the message may appear to be sent from your friend, the actual address may be something else. Because of how email actually works, the cyber criminal’s address may be embedded in the “from” line. In other words, if you were to reply to the message, you might respond to the spammer and make yourself a further target.

Instead, get in touch with your friend through another path. My favorite technique is to actually use the “Forward” function of email and re-send the Junk mail to the victim, asking if they really sent the message. I actually do this often. For example, I get email online birthday cards from one of my mentors, whom I’ve known since I was a young security Padawan. He still remembers me, but I don’t trust any message that says “Click Here for Something Special,” so I always double-check before opening the link in the message.

When you ask your friend, “Did you really send this?” — he or she can confirm or deny it. Also, they can be warned of the possibility of the hack and they can also take appropriate action. Very often, this is as simple as your friend sending another email to their contacts saying that they weren’t responsible for the junk email.

Unfortunately, as tempting as it may be, you probably shouldn’t flag the message as junk or spam in your mail reader or online because you run the risk of blocking all other messages from your friend. In security parlance, you would “blackhole” the message and (possibly) other future messages from this same sender.

If this junk email occurs only once (as is often the case,) then you could just ignore it. If you continue to receive the unwanted email, most mail readers on your PC or online will allow you to create rules to handle special messages. You could simply create a rule to send the message to the Junk folder, or you might chose to create a special folder and redirect the spam there. Again, be sure to check your Junk Email folder periodically for legitimate messages that were intercepted by mistake.

To the person who’s being impersonated on the Internet, there are some rather emotional feelings. If the person’s email address was stolen from a third party, as is often the case, then your friend is the victim of identity theft. Even if this theft isn’t for the purposes of getting even more of their personal information, this can be traumatic. If your friend’s computer was really hacked or infected, their response could be similar to being told that they have a major disease, to a sense of being violated, to anger. Even though you’re not at fault, they may be upset enough to “shoot the messenger.”

No matter how angry you may be, when dealing with your friend, you should show compassion and sympathy. After all, you’re the one who got the junk email, but they are the ones who got hacked. Knowing what you know now, you can help them understand and respond to the problem. After all, it was a friend who appeared to send you that junk email, wasn’t it?

Many employees are not as well-versed in their company’s security policy as they should be. This may result in workers performing tasks that might seem innocent or benign on the...

The majority of information security education emphasizes the definition and application of best practices. First, a network or system administrator needs to understand the proper application and configuration of network...